Configure the Exchange Server 2007 HUB Transport Role to Receive Internet Mail
Topic Last Modified: 2011-06-16
In Microsoft Exchange Server 2007 , the Edge Transport server and the Hub Transport server are similar. However, they are designed for the specific roles that they play, and have different default settings. For example, the Edge Transport role is configured to accept Internet mail. The Hub Transport role is configured to be as secure as possible, and does not accept mail from unauthenticated (untrusted) sources.
Because the Hub Transport server is designed to be more secure than the Edge Transport server, some customers cannot run, or choose not to run, an Edge Transport server. But what if you want to receive Internet Mail on the Hub server? This topic describes how a receive connector can be configured on a Hub Transport server to receive Internet mail.
Because Microsoft Exchange requires direct access to the Active Directory directory service, Microsoft Exchange servers should not be connected directly to the Internet. Regardless of whether you choose the Edge Transport role or the Hub Transport role to receive Internet mail, the Exchange server should be behind a firewall. The type of firewall that you use depends on the protocols that must access the Internet. For the Client Access Server protocols, such as HTTPS, IMAP, and POP, the Exchange server should sit behind a reverse proxy/port forwarding firewall, such as Internet Security and Acceleration (ISA) Server. ISA can detect and block attacks. For the Simple Mail Transfer Protocol (SMTP), we recommend that you install the Edge Transport role. Unlike other active SMTP filtering solutions, the Edge Transport server includes all the functionality of Exchange 2007 , and can, optionally, be completely disjoined from the rest of the forest.
If you have only one server, we recommend that you consider a hygiene service such as Exchange Hosted Services (EHS). Or, your Internet service provider may offer a similar service. Typically, a common configuration for a single Exchange server is to have Microsoft Exchange sitting directly behind an NAT firewall or a reverse proxy, such as ISA. Obviously, this approach involves some additional risk. But for many smaller customers, the risk is acceptable.
For more information about Exchange Server and the options that are available for Internet connections, view the topic How to Configure Connectors for Internet Mail Flow.
When you use the Hub transport server role instead of the Edge Transport server role to receive Internet mail, the following conditions are true for the main server features:
The Edge Transport server can be deployed in a perimeter network. To provide increased security, this server does not have to be joined to a domain. By contrast, the Hub transport server must have a connection to the Active Directory directory service.
The Hub Transport server cannot be isolated. The SMTP stream from the Internet can include more than 70 percent spam. By separating the SMTP stream from your internal traffic, you can help prevent the processing and filtering of spam on the internal servers. Internal servers are then free to perform routing, compliance, and other mailbox to mailbox operations. This is especially important if internal e-mail is mission critical.
The Edge Transport rules agent is not available. Instead, the Hub Transport rules agent is available, and is used largely for compliance. By contrast, the Edge Transport rules are mainly for hygiene. For more information about this topic, view the topic Understanding Transport Rules.
The Hub transport rules include some attachment options. However, Hub Transport cannot scan the incoming MIME stream for malicious attachment types and reject messages at the protocol layer. To work around this missing feature, antivirus products such as Microsoft Forefront can be used to provide this functionality.
The Address rewrite agent is not available on the Hub Transport server. Generally, this agent is used by larger corporations that use Edge Transport server or additional software that can perform this functionality. For more information about this feature, view the topic Managing the Address Rewriting Agent.
Receive connectors represent a logical gateway through which all inbound messages are received. There are many ways to configure receive connectors. However, the following directions describe the least number of steps required to configure receive connectors by using the Exchange Management Console.Configure receive connectors in Exchange Management Console
In Exchange Management Console, click Hub Transport under the Server Configuration node.
In the results pane, click the name of the server that has the Hub Transport server role installed.
In the Work pane, double-click Default <Server_Name> on the Receive Connectors tab.
On the Permission Groups tab, click to select the Anonymous users check box, and then click OK.
|If you do not complete this step, the sender receives the following NDR error message when messages are sent to the Hub Transport server: “530 5.7.1 Client was not authenticated.”|
For more information about receive connectors, view the following topics:
By default, Microsoft Exchange servers accept only e-mail that is directed to the Windows domain to which the server is a member. To accept e-mail that is destined to your external SMTP domain, you may have to create a new accepted domain.
For more information about how to create a new accepted domain, view the topic How to Create Accepted Domains.
|If you do not complete this step, recipients in the organization may receive the following NDR error message when messages are sent directly: “550 5.7.1 Unable to relay.”|
To send e-mail, you must configure a send connector. If you have installed Microsoft Exchange in an existing environment that contain Microsoft Exchange Server 2003 , you likely already have a Send Connector (SMTP Connector). You probably have to verify the settings.
If the connector is on your Exchange 2003 server, you can view the settings by using the Exchange 2007 Management Console. However, all changes to the Send Connector configuration must be completed by using the Exchange 2003 System Manager. For example, if you have a connector only on the Exchange 2003 server, all outbound e-mail goes through the Exchange 2003 server. If you have one connector on the Exchange 2003 server and one connector on the Microsoft Exchange server, all outbound e-mail goes through the closest connector. If you delete the send connector on the Exchange 2003 server, and if you have a send connector on the Microsoft Exchange server, all outbound e-mail passes through the Microsoft Exchange server.
To configure a Send Connector in Microsoft Exchange , use the Exchange Management Console. For more information about how to create a send connector in Exchange 2007, view the topic How to Create a New Send Connector.
As you use the New SMTP Send Connector wizard to create a send connector, select “Internet” for the usage type on the Introduction page. For all outbound e-mail to pass through the connector, set the address space of the connector to "*" on the Address space page, and set the type to “smtp.” For all other settings, follow the directions in the wizard, and then select the configuration that applies to your environment.
We recommend that you also set up a Sender Policy Framework (SPF) record for your domain. For more information about how to set up an SPF, view the topic Sender ID Framework SPF Record Wizard.
For more information about send connectors, view the topic Understanding Send Connectors.
Hub Transport servers must perform anti-spam functions when an Edge Transport server is not used in the environment. This feature can be easily added to the Hub Transport servers by using the Exchange Management Shell.To add anti-spam functions to a Hub Transport server
In Exchange Management Shell, locate the following directory: C:\Program Files\Microsoft\Exchange Server\Scripts
Type the following command, and then press ENTER: Install-AntispamAgents.psi
Restart the computer.
After you enable anti-spam, you will see the Anti-spam tab in the Exchange Management Console.
For more information, view the topic Enable Anti-Spam Functionality on a Hub Transport Server.
|If you previously had any Exchange 2003 settings for anti-spam, you must migrate your settings to Microsoft Exchange. For more information, view the topic Managing Exchange 2003 Settings in a Coexistence Environment.|
To help make Exchange Server run better, consider implementing the following suggestions:
Because the Exchange 2007 server is connected directly on the Internet, you may want to change the advertised FQDN that is sent in HELO/EHLO commands in SMTP. To do this, use the Exchange Management Console to configure this for both the send and receive connectors. On the General tab in Properties for the send connector and receive connector, specify the FQDN that the connector will provide in response to HELO or EHLO.
Because you will not use Edge Server, you do not require the Exchange 2007 EdgeSync service. In Service, set the Microsoft Exchange EdgeSync service to Disabled to prevent it from starting and using system resources.
To finish the configuration, follow these steps:
Make sure that your MX record is correct
Make sure that your firewall is letting the connection inbound to port 25
To do this if you already have a mail server, you can either reuse that server IP, or update the firewall rule to point to the new Microsoft Exchange server internal IP.
Use the Mail Flow Analyzer to help you troubleshoot issues that may occur. Additionally, there are several Web sites that can help you diagnose DNS and SMTP receive problems, including the following sites: